The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Powershell Execution Policy inquiry (user)

Description: This query looks for the 'ExecutionPolicy' registry key under HKEY_USERS hive to provide information on Powershell script execution policy on the local users context.

What The Data Shows: The value provided is the value native to Powershell which determines Powershell scripts execution policy, as per described in Microsoft's documentation[1]. This can be useful for IT hygiene as well as for keeping systems secure by later changing the values if deemed necessary.


SELECT data, 'user' AS 'scope',
  (SELECT data
    FROM registry AS r2
    WHERE r2.key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' || split(r1.key,'\',1)) AS user,
   datetime(r1.mtime,'unixepoch','localtime') AS mtime
FROM registry AS r1
WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
  AND name = 'ExecutionPolicy';


1 Comment
Carbon Black Employee
Status changed to: Approved